docs(lethe-oidc-stub): record review pass + conclusion
docs(lethe-oidc-stub): record verify pass
docs(lethe-oidc-stub): record verify-driven fix-up deviations
auth: fix OIDCVerifier injection wiring + OIDCDevStub root attachment
Surfaced by the first end-to-end smoke of `auth.oidc.enabled=true`:
- `OIDCVerifier.Cfg` was typed `config.OIDCConfig`, but only `AuthConfig`
is registered as a `config-section:""` (config.go:31-37). Steward's
type-keyed injection threw `failed to find dependency` at `mgr.Inject`,
panicking the daemon. Latent since 80b1c09 — never reached because no
prior verified path enabled OIDC. Retyped to `config.AuthConfig`,
Init now reads `Cfg.OIDC.{Issuer,Audience,UsernameClaim}`. Sibling-
consistent with `Authenticator` and `OIDCDevStub`.
- `OIDCDevStub` had no dependents and no `steward.Root()` modifier, so
steward logged `ERR empty dependents asset without root option` and
skipped it in lifecycle bookkeeping (Destroy never called on shutdown).
Added `steward.Root()` to its registration; shutdown log now shows
`destroying component component=auth.OIDCDevStub`.
docs(lethe-oidc-stub): record execute deviations
auth: integrate oidcstub as opt-in dev OP under auth.oidc.dev_stub
config: add auth.oidc.dev_stub block (disabled by default)
auth: lift oidc test stub into internal/testutil/oidcstub
docs(lethe-oidc-stub): design + plan
docs: track tooling DX and lethe-oidc-stub follow-up (#10)
- TODO.md: mark task #5 (lethe-web-ui-aggregates) Reviewed; add task
#10 lethe-oidc-stub (promote the in-test oidcTestServer to an
exported testutil package, optionally a cmd/oidc-stub binary, to
unblock real-browser smoke without standing up Authelia locally).
New sections: Repo hygiene / Tooling DX (with the four tooling items
now landed) and Deferred operational follow-ups (sourcecraft push +
browser smoke for #5).
- tasks/lethe-web-ui-aggregates.md: cross-ref the deferred browser
smoke to task #10 in Future work.
tooling: adopt go tool directives; rename air→dev; bundle fmt drift
- Justfile: rename `air:` to `dev:`, body uses `go tool air`; the three
migrate recipes use `go tool migrate`; `fmt` adds `go fix ./...`.
Stale `brew install golang-migrate` comment block replaced with the
one-line `go get -tool` bootstrap hint.
- README.md: quickstart says `just dev`.
- go.mod: declare github.com/air-verse/air and golang-migrate's cmd
in the `tool` block (Go 1.24+) so contributors never need a separate
install step. Updates go.sum accordingly.
- internal/domain/stats/repository.go: pre-existing `HostSplit` indent
drift + trailing newline, surfaced by goimports inside the new fmt
recipe.
docs(lethe-web-ui-aggregates): record execute, verify, review
Mark task Reviewed. Conclusion captures the eight active
deviations, the four Important review findings (all
resolved in 3fbbfc8 and 1818fac), the verify checklist
(positive / negative / invariant / interface checks all
passing), and the deferred items needing user smoke
through the new SPA routes in a real browser.
project: drop unreachable rawHosts/rawTools fields on Project
The struct literal carried two unexported fields with
db:"raw_hosts" / db:"raw_tools" tags, but the actual scan
target is the local rawRow struct in List() that does the
GROUP_CONCAT split + dedupe before assigning Hosts/Tools.
sqlx silently ignores the unexported fields, so they never
held any data; they just confused the next reader of the
type definition.
web: review fixes for projects/stats SPA routes
- ProjectsTable: drop the inner navigate call from handleOpen;
the parent route already navigates via the onOpen callback,
so the second push was creating a duplicate history entry
on every row click. Matches the SessionsTable pattern.
- HorizontalBars: replace href:string with onActivate(row)
callback. The earlier shape passed a pre-encoded path
string straight into TanStack <Link to={...}>; routing the
navigation through the typed (to, params) form via the
caller avoids any double-encoding ambiguity around splat
params and decouples the primitive from a specific route.
- stats.css: drop duplicated .card / .card-head / .card-body
blocks. The same rules already live in shell.css (loaded
globally), so any future divergence between the two copies
would silently desync.
web: regenerate embedded SPA bundle for stats route
Vite stamps content-hash asset filenames; the Phase 5 source changes
flipped both bundle hashes. The Phase 5 commit (e048bdf) shipped the
source but not the regenerated index.html, which the Go server embeds
via embed.FS to serve the SPA. Re-stage so the embedded asset path
matches the actual bundle on disk.
web: stats route with backend-driven chart primitives
web: project detail route scoped via ?cwd= sessions filter
web: projects index route with real /projects data
stats: add /api/v1/stats aggregate endpoint
Implements Phase 2 of lethe-web-ui-aggregates: a single-round-trip
/api/v1/stats endpoint that bundles per-tool rollup, daily time-series,
84-cell activity heatmap, top-cwd ranking, hour-of-day distribution, and
host split. All six aggregations run fresh per request; no server cache.
- internal/domain/stats/buckets.go: pure helpers DailyWindow, FillDaily,
HeatmapWindow, HourWindow — fully deterministic, tested independently.
- internal/domain/stats/repository.go: Filter/Stats types and Repository.Stats
— six SQL queries joined via sessions+turns, owner scope via OwnerScope
(AllOwners / SpecificOwner / default), sparkline capped at 60 buckets.
- internal/domain/stats/handler.go: Handler.List — ?range=7d|30d|90d|all
(default 30d); ?range=<other> → 400 INVALID; ?owner= non-admin → 403.
- internal/server/server.go: register *stats.Handler alongside project/sessions.
- cmd/lethe/main.go: add statsRepo/statsHnd to var block and steward graph.
- cmd/lethe/main_e2e_test.go: add stats.Repository/Handler to e2e graph.
project: add /api/v1/projects aggregation; sessions: add ?cwd= filter
- session.ListFilter gains Cwd *string; List appends working_dir = ?
clause between Host and Since in fixed order (parameterised, column
name is a literal)
- session.Handler reads ?cwd= and threads it to filter.Cwd; empty
string treated as absent, consistent with other optional filters
- new package internal/domain/project:
- Repository.List groups sessions by non-NULL working_dir in a single
SQL round-trip; correlated subquery picks top_tool with tie-broken
by tool ASC; Hosts/Tools deduped and sorted in Go after
GROUP_CONCAT
- Handler mounts GET /projects; resolveScope/clampLimit/clampOffset
duplicated from session handler; ?owner= admin gating identical
- server.Server gains Projects *project.Handler inject field; mounted
in /api/v1 Route block
- main.go and e2e test register projectRepo + projectHnd with steward